Our Products

Data Breaches - Universities a Growing Target for Data Theft

Posted by Geraldine Hunt on Mon, Sep 3rd, 2018

Educational institutions, both K12 and higher education, are hacked on a regular basis, the situation shows no signs of improving. The implications of any data theft are huge: reputational, legal, economic and operational. Future funding may be affected, as well as possible loss of future student fees and associated income. An article in the Huffington post last year gave examples of 5 colleges with data breaches even larger than the Sony breach.

Here are a few examples of recent education data breaches:

Networks at the University of Maryland were hacked in January 2014, resulting in the records of 310,000 students being exposed. The breach cost the university more than $6 million to pay for victims to receive credit monitoring services.

Park Hill School District in Kansas City, Missouri, reported a breach in July 2014 when a former employee accessed sensitive student and employee data and subsequently the data was inadvertently published on the Internet. Over 10,000 people were affected; breached records included Social Security numbers and employee evaluations.

In June 2014, over 30,000 students at the Riverside Community College District in California had their data exposed, including Social Security numbers and academic records, when an employee emailed records via a non-secure system to an incorrect email address.

Universities UK, an organization comprising the chief executives of UK Universities working to support and promote the UK higher education sector, commissioned a report looking into approaches to implementing cybersecurity in higher education institutions at an executive level.

Their suggestions on how to provide suitable cyber security appear very similar to approaches any large company should be tackling:

Assessing the institutional risk by identifying information assets, evaluating their vulnerabilities and establishing their management priorities.

Establishing effective oversight and reporting of information risks between the institution’s board and the owners, controllers and users of information assets.

Implementing appropriate general and targeted network controls, including sharing and updating awareness of vulnerabilities and practices internally and externally.

The nature of, and reliance on, the data plus a wide set of activities requires a set of targeted cyber security models appropriate and proportionate for their assets.

Lots of sensitive data worth stealing

Data is relied on for the successful operation of the institution as well as a requirement for research and the production of further data. It can be the main intellectual asset, sometimes politically or commercially sensitive and essential for the university to meet its commercial or academic needs. Just consider the nature of climate change data, or medical records. Or it could be enterprise data, on students, finances, and HR: subject to the usual data protection laws.

The implications of any data theft are huge: reputational, legal, economic and operational. Future funding could be affected, as well as possible loss of future student fees and associated income. Prosecution and other penalties could arise, or the loss of intellectual property assets. There may even be damage to infrastructure that cripples the activities of the institution.

University Networks used to fuel attacks on external systems

The personal and financial data stored on university data systems is of great value to the cyber-criminal. However, commercial data can be of interest to corporate spies and scientific or grant-related research can be targeted by nation-state backed groups.

Even university infrastructure, with its large bandwidth and powerful servers, is a target for hackers. It can be hijacked and used to direct attacks on other external systems. When the New York Times’ computer systems were hacked in 2013, the subsequent investigation found that the attacks had been directed through compromised computers at US universities.

Infrastructural problems and silos - a network security nightmare.

However, the nature of the University campus and network is the real difference between higher-education establishments and the corporate network. Made up of many, sometimes dispersed, networks; the university network infrastructure is the corporate security officer’s nightmare. But this is not down to any lack of foresight or ignorance on campus IT security. It is far from it. The educational environment and historically open campus mean there is not the tight security focussed infrastructure that corporate networks exemplify.

A regular flux of undergraduates; researchers and graduates collaborating and sharing data globally; visiting academics; “bring your own device” infrastructures long before the business even considered it. These are environments where the concept of tight data security has traditionally been unhelpful or even unwanted. When an institution thrives on the free exchange of data and ideas, it cannot easily apply the same security measures as larger businesses do.

Security is a trade off

There is a fine-balance on what has to be allowed and what security measures can be put into place. Security in all organizations, commercial or academic, is a trade-off between the likelihood and potential impact of an attack and the financial cost or loss of utility that are incurred in defense. Increasing online threats and tough new penalties for data breaches are forcing universities to take cybersecurity more seriously than ever.

One successful approach has been to segment and partition campus networks as much as possible so that the most sensitive and valuable data can be protected adequately while allowing for relatively open parts of the network to support educational and research needs. This can be complex and requires detailed risk analysis, management prioritization and associated security measures. In fact, this is an approach that is starting to be seen in corporate networking. The dangerous ‘outside world’ and the safe local network is the old-fashioned view of things. The DMZ that used to sandbox the systems shared between both WAN and LAN is now being considered as the protected zone to secure servers from both the outside and internal worlds: using security systems that monitor the network for behavioral anomalies, rather than rely on perimeter-based protection.

And here, universities may be ahead of the corporate world.

The TitanHQ team have worked on email anti-spam solutions for schools, web filtering for education and email archiving for schools for over 20 years. We have a deep understanding of the web security issues that all schools and colleges have protecting students, school staff, and visitors.